Flow

Github

• https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/SablierFlow.sol#L275

Summary

In the SablierFlow contract, the deposit function includes the notVoided modifier to ensure the function cannot execute on voided streams. However, the depositAndPause function, which also deposits tokens into a stream, lacks this notVoided modifier, leading to inconsistent validation across similar functions. This discrepancy allows depositAndPause to proceed on voided streams, potentially causing unexpected behavior, errors, or vulnerabilities in stream management. Standardizing the use of the notVoided modifier across these functions is necessary to ensure consistent and predictable contract behavior.

Vulnerability Details

The depositAndPause function in the SablierFlow contract deposits tokens into a stream and then pauses it. However, unlike the deposit function, it does not use the notVoided modifier, which prevents actions on voided streams. This inconsistency allows depositAndPause to be called on streams that are voided, which is likely unintended behavior given that voided streams are supposed to be non-operational.

The absence of the notVoided modifier in depositAndPause allows deposits on voided streams, leading to:

• Potential token mismanagement, as funds could be deposited into streams that are supposed to be inactive.

• Confusion for users or systems expecting voided streams to be permanently non-interactable.

Impact

Users may inadvertently deposit tokens into a voided stream, leading to unexpected token allocation and potential disputes. This could be especially problematic if tokens are meant to be non-refundable or irreversibly voided once the stream is voided.

Allowing deposits on voided streams could mislead users or downstream applications that rely on the integrity of the voided state, creating potential errors in systems that assume voided streams are permanently inactive.

Tools Used

Manual Review

Recommendations

Apply the notVoided modifier to depositAndPause, ensuring the function behaves consistently with deposit and preventing interactions with voided streams. This will enforce the intended non-interactive status of voided streams.